Hackers compromised CCleaner free software, Avast's Piriform says

Joseph Menn

SAN FRANCISCO, Sept 18 (Reuters) - Hackers broke into
British company Piriform's free software for optimizing computer
performance last month and installed tools that could have
allowed them to take control of tens of millions of devices, the
company and independent researchers said on Monday.

The malicious program was slipped into legitimate software
called CCleaner, which is downloaded for personal computers and
Android phones as often as 5 million times a week. It cleans up
junk programmes and advertising cookies to speed up devices.

CCleaner is the main product made by London's Piriform,
which was bought in July by Prague-based Avast, one of the
world’s largest computer security vendors. At the time of the
acquisition, the company said 130 million people used CCleaner.

ADVERTISEMENT

A version of CCleaner downloaded in August included remote
administration tools that tried to connect to several
unregistered web pages, presumably to download additional
unauthorized programs, security researchers at Cisco's
Talos unit said.

Talos researcher Craig Williams said it was a sophisticated
attack since it penetrated an established and trusted supplier
in a manner similar to June's “NotPetya” attack on companies
that downloaded infected Ukrainian accounting software.

"There is nothing a user could have noticed," Williams said,
noting that the optimization software had a proper digital
certificate, which means other computers automatically trust the
program.

In a blog post, Piriform confirmed that two programmes
released in August were compromised. It advised users of
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download
new versions. It did not disclose how many users were affected.

Piriform said Avast, its new parent company, had uncovered
the attacks on September 12. A new, uncompromised version of
CCleaner was released the same day and a clean version of
CCleaner Cloud was released on September 15, it said.

The nature of the attack code suggests that the hacker won
access to a machine used to create CCleaner, Williams said.

CCleaner does not update automatically, so each person who
has installed the problematic version will need to delete it and
install a fresh version, he said.

ADVERTISEMENT

Williams said Talos detected the issue at an early stage,
when the hackers appeared to be collecting information from
infected machines, rather than forcing them to install new
programs.

Piriform said it had worked with U.S. law enforcement to
shut down a server located in the United States to which traffic
was set to be directed.

It said the server was closed down on Sept. 15 "before any
known harm was done".
(Additional reporting by Eric Auchard in Frankfurt; editing by
Jason Neely)